For anyone who will find this post and struggling to offload PowerBox PRO (hex poe) to unload CPU because with full bridge VLAN filtering it does around 350-400 mbps tops.
Bridging VLAN interface is not good, but the only option to commutate on CPU level and stick software sfp1 port into switch chip filtering.
/interface bridge
add fast-forward=no name=bridge1
add fast-forward=no name=bridge88 protocol-mode=none
/interface vlan
add interface=bridge1 loop-protect=off name=vlan88_ISP vlan-id=88
add interface=bridge1 loop-protect=off name=vlan241_mgmt vlan-id=241
/interface ethernet switch
set 0 cpu-flow-control=no
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=246 vlan-mode=secure
set 2 default-vlan-id=242 vlan-mode=secure
set 3 default-vlan-id=246 vlan-mode=secure
set 4 vlan-mode=secure
set 5 vlan-mode=secure
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge88 interface=sfp1
add bridge=bridge88 interface=vlan88_ISP
/interface ethernet switch vlan
add independent-learning=yes ports=ether1,switch1-cpu switch=switch1 vlan-id=88
add independent-learning=yes ports=switch1-cpu,ether1,ether5 switch=switch1 vlan-id=241
add independent-learning=yes ports=ether1,ether5 switch=switch1 vlan-id=240
add independent-learning=yes ports=ether1,ether3,ether5 switch=switch1 vlan-id=242
add independent-learning=yes ports=ether1,ether2,ether4 switch=switch1 vlan-id=246
add independent-learning=yes ports=ether1,ether5 switch=switch1 vlan-id=247
The load is asynchronous, DL is up to 700 mbps with 60-70% CPU load (ISP is shaping), probably can reach 1 gbit. UL is around 350-400 still, will recheck config later, but it seems that chip offload works in only one direction regarding vlan88 ISP, maybe it should be that way.
NB! @MikroTik please make new revisions of good old soho devices, with multicore ARM cpu and full poe support. Such as hex s, powerbox pro\hex poe etc. Sometimes you need a long poe daisy chain and new l009 and 5009 doesn’t support poe passthrough and you have to use PSU which is inconvenient. hex s is great, but sfp port not on chip (thanks for offloading vlan filtering though) and hex poe is too weak with 1 core CPU and unstable if you try to overclock it.